podcast

Facebook takes down accounts linked to Iran for coordinated inauthenticity. Iranian information operations appear to be learning from the Russian approach: be divisive, be negative, and be opportunistic. Investigations of pipe-bombs and the Pittsburgh synagogue shooting look at the suspects' digital record. IBM announces its acquisition of Red Hat. The Satori botnet continues to evolve. British Airways and Magecart. Supply chain seeding, probably not; dragonnades, yes. Emily Wilson from Terbium Labs on data from the most recent Facebook breach showing up on the dark web.

Transcript

Dave Bittner: [00:00:00] Hello, everybody. It's Dave. I am back from vacation. Yes, I have a little bit of a cold, but we will soldier on. I wanted to share some good news with you all. While I was away, the CyberWire passed the 10 million downloads mark. That's a pretty big deal. And we want to thank all of you for being a part of it. We couldn't do it without you. Thanks to all of you for your continued support, especially to our Patreon supporters. We do appreciate it. Here's the show.

Dave Bittner: [00:00:26] Facebook takes down accounts linked to Iran for coordinated inauthenticity. Iranian information operations appear to be learning from the Russian approach - be divisive, be negative and be opportunistic. Investigations of pipe bombs in the Pittsburgh synagogue shooting look at the suspect's digital record. IBM announces its acquisition of Red Hat. The Satori botnet continues to evolve. News on British Airways and Magecart. And Supply chain seeding - no. Dragonnades - yes.

Dave Bittner: [00:01:04] Now, a moment to tell you about our sponsor ObserveIt. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIt, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIt is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIt focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIt. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIt for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:12] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 29, 2018. On Friday, Facebook took down a number of inauthentic accounts run from Iran, as Twitter had done a week earlier. Iranian influence operations had hitherto been artlessly direct in following the Islamic Republic's domestic and international line. But this latest round of trolling was effectively indistinguishable from the familiar St. Petersburg style. The content pushed was opportunistically divisive, directed against fissures in both American and British culture. St. Petersburg's Internet Research Agency apparently referred traffic to bogus pages operated by Iran. This could be a sign of collusion, but simple alignment of interests and recognition of good work - good from Moscow's point of view - are at least as likely.

Dave Bittner: [00:03:05] It does appear that Facebook has hit upon a formulation for screening content that it may be able to apply in a workable fashion. They aren't focusing as much on the content as they are its source. Looking at coordinated inauthenticity is a marker for what they will try to filter. Some of the content being pushed by the Iranian troll accounts is indistinguishable from opinions that circulate among people in the targeted societies, who are intensely politically engaged and interested. But the identities behind the troll accounts Facebook is screening can be determined to be fictitious. And their activity on social media, to exhibit a degree of coordination, that suggests a state-run information operation. So bogus identities and astroturfs simulating grassroots would appear to be the social network's red flags. Facebook is still rumored to be shopping for a security company that might help with both breaches and content moderation.

Dave Bittner: [00:04:00] Different issues are presented by the digital SPER. Both the alleged Florida pipe bomber and the alleged - we probably must say alleged although he was taken into custody red-handed and wounded on the scene by police - the alleged killer who murdered 11 in a Pittsburgh synagogue this Saturday. The pipe bomber appears to have expressed solidarity with his Russian brothers, although how much of that counts even as inspiration is an open question. The Pittsburgh shooter was much more active in social media, particularly in those precincts of the platform Gab that catered to those with neo-Nazi sensibilities. Gab itself has gone down as it has lost access to services provided by other sectors of the industry. PayPal, Medium, Joyent and GoDaddy all stopped doing business with Gab over the weekend, effectively driving the social network from the internet. What role private industry will come to play in this sort of content moderation remains to be seen.

Dave Bittner: [00:04:59] IBM announced its intention to acquire Red Hat for $34 billion, a bet that IBM future lies in hybrid cloud and subscription-based software. While tangentially related to security, the coming acquisition is regarded by most observers as a very big deal indeed. TechCrunch, for example, says that IBM is betting the farm on this one. And it's a transaction we'll certainly be watching with interest. That farm is a big one. Researchers at CenturyLink report that the Satori botnet continues to evolve and remains a threat. This is noteworthy because the individual regarded as one of its principal alleged authors has been in custody for some time. Satori has over the past few months moved away from its original set of IoT targets, many of which it took from its Mirai precursor, and onto Android devices. That alleged author is one Kenneth Currin Schuchman, also known by his preferred nom de hack of Nexus Zeta. He was arrested in August and granted pretrial release. He's now back in custody for violating the terms of that release. What exactly he did, ZDNet reports, isn't known. But it was enough to land him back in the SeaTac detention center in the state of Washington.

Dave Bittner: [00:06:17] On Friday, the librarian of Congress and the U.S. Copyright Office added more exemptions to Digital Millennium Copyright Act enforcement. The exemptions are intended to reduce the risk that legitimate security research would run afoul of the DMCA. Fortune magazine reports that Amazon is pulling back on advertising with Bloomberg. Amazon has cited advertising budget changes. But sources tell Fortune that the cutback is an expression of displeasure with Bloomberg's reporting on the alleged supply chain poisoning attack by Chinese intelligence services. Amazon, like Apple and Supermicro, has demanded a retraction from Bloomberg. Cult of Mac reports that Apple has disinvited Bloomberg from its fall event. Apple hasn't commented, but Buzzfeed reports that this too is retaliation for the controversial and increasingly less credible story.

Dave Bittner: [00:07:13] Security firm Securonix has an analysis of the recent British Airways breach. They note that it's one in a series of attacks by the Magecart gang, which has been stealing pay card data and personal information since 2015 at least. They note that Magecart has made heavy use of customized malicious JavaScript on the victim's website. They, at different times, done this by directly compromising their target's website or through the compromise of some third-party component used on that website. In the case of the British Airways breach, Securonix thinks the attack was accomplished by directly modifying code on the airline's main website itself.

Dave Bittner: [00:07:52] Cyber risk continues to occupy more corporate board attention. A report from Deloitte finds that the two greatest threats to companies - as CEOs and boards reckon them - are, first, disruption of the business by new technologies or innovations and, second, cyber incidents or events. The FBI has glumly warned companies not to expect simple attribution to do much to deter North Korean hacking. Pyongyang really doesn't have much to fear when it comes to reputational risk alone, which shows how having nothing to lose can sometimes amount to a position of strength.

Dave Bittner: [00:08:28] The Chinese government's policy of stationing loyal citizens, mostly ethnic Han, in the households of mostly Muslim workers may remind Americans why their Bill of Rights has a third amendment to preclude such dragonnades. In fairness to the memory of the tyrant George III - words which we doubt have been written recently - the Quartering Acts seldom resulted in redcoats imposing themselves on the family hearth. They were more a measure intended to get the colonists to pay what his majesty's government took to be a reasonable fraction of their defense against the French and Indians. And so the colonial treasuries were expected to, for example, build barracks as needed or pay to lodge soldiers in inns and public houses - or in extreme cases, in barns and outbuildings, as happens with European armies on field exercises even to this day.

Dave Bittner: [00:09:20] But the patriots wanted no more of that than they wanted expensive or tiresome stamps. And they were also aware of how the French crown had used the dragonnades against the Huguenots. So the last thing you wanted if you were living peacefully in - let's say Armonk in the Colony of New York - was a file of British regulars looking for accommodations. The Chinese policy is a more serious and more intrusive matter - an aggressive form of surveillance and information operations conducted on the ground and in-person with a domestic population. This would seem to be a case in which long-standing policy in cyberspace has now found its expression in physical space.

Dave Bittner: [00:10:04] It's time to tell you about our sponsor ManTech. The cyber threat is growing, but so is the cyber talent gap. By 2019, ISACA predicts a 2 million global shortage of skilled professionals to meet demands. ManTech has the answer. They've been designing, building and staffing Department of Defense cyber ranges for more than 10 years. With ManTech's advanced cyber range environment, or ACRE, organizations of any size can develop their own core of cyber professionals. ACRE uses more than a dozen proprietary tools, techniques and processes to emulate any network environment regardless of size or complexity. Train, evaluate tools, conduct security architecture testing and undergo live fire exercises on an exact replica of your own network environment. And do it with instructors who understand both offensive and defensive cyber. ManTech helps you think like your adversary and outmaneuver them. This is Advantage ManTech (ph). See how ManTech can work to your advantage. Go to mantech.com/cyber today. That's mantech.com/cyber. And we thank ManTech for sponsoring our show.

Dave Bittner: [00:11:24] And joining me once again is Emily Wilson. She's the fraud intelligence manager at Terbium Labs. Emily, welcome back. We have heard a lot about this recent Facebook breach. And I wanted to touch base with you about what this means from a dark web perspective, what we might expect. Might there - might we see these credentials online? What's your take on it?

Emily Wilson: [00:11:43] I don't expect we'll see this information showing up on the dark web, at least not packaged as coming from this particular breach, in the same way that after Equifax or so many of these large breaches - right? - the information doesn't immediately show up on the dark web. And it's very rarely packaged as such. A few notable instances where it is packaged that way - right? - are some of the legacy breaches we saw a few years ago where the LinkedIn database was dumped or, you know, we saw information from Tumblr. But in most cases, people aren't going to take these large data sets and sell them off. It really draws way too much attention to the vendor.

Dave Bittner: [00:12:21] Oh, so the data set itself is too hot.

Emily Wilson: [00:12:24] A little bit of that and also, sometimes, you might have a financial motivation behind why you want to do something. Maybe you also just want to, you know, do a little casual vandalism and dump all of this data. But if you've got your hands on that many credentials, you'd think you'd try and use them yourself first if you're going to, you know, manage to get a hold of them.

Dave Bittner: [00:12:43] Do these credentials tend to filter through over time where eventually, they'll end up on the dark web?

Emily Wilson: [00:12:50] I think certainly, you know, there's a good possibility we'll see these accounts end up in some form or fashion on the dark web. I also think - and, you know, I'm going to sound a little bit more like a broken record here. But it's not like this will be the first time there's been Facebook accounts on the dark web. There have been Facebook accounts for sale probably for as long as Facebook's been out there and there have been dark web markets, right? These are a regular type of good that we see on these markets for sale.

Dave Bittner: [00:13:24] And where does a Facebook account sit on the spectrum of valuable things to sell in a dark web market?

Emily Wilson: [00:13:24] If we're talking about value and not price, which I think is the more interesting conversation...

Dave Bittner: [00:13:28] OK.

Emily Wilson: [00:13:28] You know, these are very valuable because, you know, your Facebook identity is almost as good as a regular identity. You know, one of the issues that we saw exploited with this breach was the issue with Facebook's single sign-on. If you have access to someone's Facebook account, then you have access to all of the personal information you could ever need. You have a, you know, fully vetted audience of people, you know, ready and willing to accept scams because you're coming at it from a, quote, unquote, like, "trusted source."

Dave Bittner: [00:13:56] Right, a real-names...

Emily Wilson: [00:13:58] Yeah.

Dave Bittner: [00:13:58] ...Kind of thing.

Emily Wilson: [00:13:59] And plenty of advertisements for Facebook accounts being used as a method to cash out or Facebook accounts being used as a way to verify other payment accounts, right? This is a Facebook account that comes with a verified payment processor account. So, you know, you can skip over some of the other more traditional methods of using identity verification, so Facebook accounts are very valuable, right? Most people have them. Most people are using the same passwords across multiple sites. And most people share a lot of information with Facebook because Facebook is very, very good at getting you to open up and try to create a customized experience. And that's exactly the kind of thing fraudsters want to use against you.

Dave Bittner: [00:14:40] It's going to be interesting to see how this one plays out. If - how many nails in the coffin can Facebook get before people start leaving in droves, if that ever happens, if it's possible? I don't know.

Emily Wilson: [00:14:53] I don't know if it's possible because - and I was just talking to someone about this yesterday. Right now for a lot of people, there aren't any good alternatives. And the trade-offs aren't worth it, right? If your options are to get off of Facebook and hopefully, find some way to clear up all of the data that you've already shared, that's already been passed on to third parties - and how someone would even go about doing that, you know, your average consumer - good luck. Even if you do all of that, is it worth missing out on your family and your friends...

Dave Bittner: [00:15:26] Right.

Emily Wilson: [00:15:26] ...Especially for, you know, certain generations where this is their primary way of staying in touch? It - you know, they're just not going to do that. And so Facebook has a fairly captive audience.

Dave Bittner: [00:15:42] And that's the CyberWire. I figure while I have this cold, I might as well take advantage of it. For links to all of today's stories, interviews, our glossary and more, visit thecyberwire.com.

Dave Bittner: [00:15:53] Thanks to our sponsors for making the show possible, especially our sustaining sponsor Cylance. Find out how they use artificial intelligence to help protect you at cylance.com. You know, Cylance isn't just a sponsor. We use their products here to protect the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:16:18] The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.

ManTech

When Federal managers and military leaders face tough challenges in cyber, data collection & analytics, enterprise IT or systems and software engineering, they turn to ManTech as their preferred partner. Learn more at mantech.com/cyber.